The Three Elements of Cyber/Internet Banking Exposures
With all the attention and “new” products that have emerged on “Cyber Liability,” “Internet Liability” and “Cyber Theft,” it is time to simplify this area a bit. There are really only three (3) areas of “Loss Exposure” to which a Financial Institution should be concerned: First Party Exposure, Second Party Exposure, and Third-Party Exposures. Simple right?
First Party Exposure – These are the electronic loss exposures that directly affect your bank. Some examples are electronic theft from the bank’s computer, viruses and hacker damage to the bank’s computer, extortion threats to the bank’s computer, attacks on the bank’s website, as well as physical damage to the bank’s computer equipment.
A bank’s primary insurance protection for this sort of loss would be the Computer Theft coverage under its Financial Institution Bond. Since the exposure is so great in this area, the highest available limit should be obtained.
Second Party Exposure – These are the loss exposures to your customers through the use of the bank’s computer system. A few examples are theft of a customer’s money through the bank’s computer due to the bank’s negligence, customers obtaining a computer virus from their use of the bank’s online banking system, and loss of a customer’s personal information through a breach in the bank’s computer system. These situations would most likely create bad publicity resulting in expenses to correct the customer’s losses and/or major lawsuits. The insurance product most appropriate for this exposure is the Cyber Liability or Internet Liability Policy. This coverage can also be obtained in several Directors and Officers Liability policies. However, there is very little standardization in these policies, so be cautious! Many insurance companies are changing this policy for all industries, which may result in a bank paying for coverages it does not need, or creating overlaps in coverage that already exists.
Finally, there is Third Party Exposure – This loss exposure is from the public at large or governmental agencies. A couple of examples are violations of trademark or copyright laws through the bank’s website, and fines or lawsuits by the FDIC or OCC for failure to comply with online banking regulations.
Again, Cyber Liability insurance coverage is your first line of defense. However, most insurance companies will automatically exclude regulatory lawsuits, and you will need to negotiate a “buyback” coverage.
Analyze your Cyber exposures. What assets do you have exposed to Cyber risk, and what insurance coverage OR Risk Control techniques do you have to protect your bank from these exposures? Make a list of the scenarios you are most concerned about, and ask your insurance company if your policy covers it. You probably will not get a straight answer, but it’s a start.